Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 10 Dec 2000 11:48:30 +0100 (CET)
From:      Poul-Henning Kamp <phk@critter.freebsd.dk>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   bin/23415: /etc/security fails to show all relevant messages.
Message-ID:  <200012101048.eBAAmUP97063@critter.freebsd.dk>
Resent-Message-ID: <200012101050.eBAAo2g84530@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         23415
>Category:       bin
>Synopsis:       /etc/security fails to show all relevant messages.
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Dec 10 02:50:01 PST 2000
>Closed-Date:
>Last-Modified:
>Originator:     Poul-Henning Kamp
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
P. E. Mønsted, fregatten Jylland som barn.
>Environment:
System: FreeBSD critter.freebsd.dk 5.0-CURRENT FreeBSD 5.0-CURRENT #0: Fri Dec 1 17:26:14 CET 2000 root@critter.freebsd.dk:/freebsd/src/sys/compile/FLUTTER i386


>Description:

	/etc/security will examine only the current /var/log/messages
	and /var/log/messages.0 (with and without .gz suffix) for log
	messages relevant for yesterday.

	/etc/newsyslog.conf specifies that the messages file is rotated
	once per day *or* when the size exeeds 100kB.

	If you are under attack, you are quite likely to have your
	messages rotated due to the size criteria and the next run
	of /etc/security will only report on a fraction of the reality.

>How-To-Repeat:

	Piss off a scriptkiddie, notice that /etc/security doesn't show
	the full magnitude of his lameness.

>Fix:

	I think the catmsgs() function:
		catmsgs() {
		  [ -f $LOG/messages.0.gz ] && zcat $LOG/messages.0.gz
		  [ -f $LOG/messages.0 ] && cat $LOG/messages.0
		  [ -f $LOG/messages ] && cat $LOG/messages
		}
	maybe should do something like:

		catmsgs() {
		 find $LOG/ -name 'messages.*' -mtime -2 -print | 
		    sort -r |
		    xargs zcat -f
		 [ -f $LOG/messages ] && cat $LOG/messages
		}


>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200012101048.eBAAmUP97063>